Skip to content

chore(go): bump indirect deps#650

Open
janishorsts wants to merge 2 commits into
mainfrom
chore-go-deps
Open

chore(go): bump indirect deps#650
janishorsts wants to merge 2 commits into
mainfrom
chore-go-deps

Conversation

@janishorsts

@janishorsts janishorsts commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator

Bumps multiple indirect Go dependencies in go.mod/go.sum to newer versions, addressing 6 known vulnerabilities and successfully removing github.com/opencontainers/runc from the dependency graph.

Resolved Vulnerabilities (govulncheck)

  • github.com/opencontainers/runc (Removed from go.mod):
    • GO-2025-4098 / CVE-2024-21626 (Critical): Container escape and DDoS due to arbitrary write gadgets and procfs write redirects in runc <= v1.1.9.
    • GO-2024-3110: File/directory creation exploit on the host via symlink swaps during operations like runc cp.
    • GO-2024-2452: Command execution/Container breakout vulnerability.
  • github.com/docker/docker (Upgraded to v28.0.4+incompatible):
    • GO-2025-3829: Bug where firewalld reload would remove bridge network isolation. (Fixed in v25.0.13+incompatible).
  • github.com/in-toto/in-toto-golang (Upgraded to v0.11.0):
    • GO-2026-5547: Inconsistent negation rules (using ^ instead of !) compared to in-toto-python which could allow layouts to bypass validation checks depending on the toolchain used.
  • golang.org/x/sys (Upgraded to v0.46.0 in examples):
    • GO-2026-5024: Integer overflow vulnerability in NewNTUnicodeString affecting Windows platforms. (Fixed in v0.44.0).

The buildkit upgrade blocks fixing the remaining vulnerabilities.

@janishorsts janishorsts self-assigned this Jul 4, 2026
@janishorsts janishorsts requested a review from a team as a code owner July 4, 2026 11:10
@janishorsts janishorsts requested review from gilescope and removed request for a team July 4, 2026 11:10
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

➖ Are we earthbuild yet?

No change in "earthly" occurrences

📈 Overall Progress

Branch Total Count
main 5408
This PR 5408
Difference +0

Keep up the great work migrating from Earthly to Earthbuild! 🚀

💡 Tips for finding more occurrences

Run locally to see detailed breakdown:

./.github/scripts/count-earthly.sh

Note that the goal is not to reach 0.
There is anticipated to be at least some occurences of earthly in the source code due to backwards compatibility with config files and language constructs.

@socket-security

socket-security Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgolang/​github.com/​containerd/​platforms@​v0.2.1 ⏵ v1.0.0-rc.499100100100100

View full report

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates numerous Go dependencies in go.mod and go.sum. Key updates include upgrading github.com/docker/docker to v28.0.4, github.com/opencontainers/runtime-spec to v1.3.0, and various containerd, moby, and prometheus libraries to newer versions. As there are no review comments provided, I have no feedback to offer on this pull request.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant